CN113438289B - Block chain data processing method and device based on cloud computing - Google Patents

Block chain data processing method and device based on cloud computing Download PDF

Info

Publication number
CN113438289B
CN113438289B CN202110690822.7A CN202110690822A CN113438289B CN 113438289 B CN113438289 B CN 113438289B CN 202110690822 A CN202110690822 A CN 202110690822A CN 113438289 B CN113438289 B CN 113438289B
Authority
CN
China
Prior art keywords
blockchain
cloud server
contract
information
machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110690822.7A
Other languages
Chinese (zh)
Other versions
CN113438289A (en
Inventor
魏长征
闫莺
张辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202110690822.7A priority Critical patent/CN113438289B/en
Publication of CN113438289A publication Critical patent/CN113438289A/en
Application granted granted Critical
Publication of CN113438289B publication Critical patent/CN113438289B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

One or more embodiments of the present disclosure provide a method and apparatus for processing blockchain data based on cloud computing; the method may include: the block chain all-in-one machine initiates a ciphertext request to a cloud server, wherein the ciphertext request is decrypted by the cloud server in a maintained trusted execution environment to obtain a plaintext request, and the plaintext request contains relevant information aiming at data to be processed; and the blockchain all-in-one machine acquires an execution result returned by the cloud server, wherein the execution result is obtained by the cloud server executing related operation on the data to be processed according to the related information.

Description

Block chain data processing method and device based on cloud computing
Technical Field
One or more embodiments of the present disclosure relate to the field of blockchain technologies, and in particular, to a blockchain data processing method and device based on cloud computing.
Background
The blockchain technology (also called as the distributed ledger technology) is a decentralised distributed database technology, has various characteristics of decentralization, disclosure transparency, non-tampering, trust and the like, and is suitable for application scenes with high demands on data reliability.
Disclosure of Invention
In view of this, one or more embodiments of the present disclosure provide a method and apparatus for processing blockchain data based on cloud computing.
In order to achieve the above object, one or more embodiments of the present disclosure provide the following technical solutions:
according to a first aspect of one or more embodiments of the present specification, a blockchain data processing method based on cloud computing is provided, including:
the block chain all-in-one machine initiates a ciphertext request to a cloud server, wherein the ciphertext request is decrypted by the cloud server in a maintained trusted execution environment to obtain a plaintext request, and the plaintext request contains relevant information aiming at data to be processed;
and the blockchain all-in-one machine acquires an execution result returned by the cloud server, wherein the execution result is obtained by the cloud server executing related operation on the data to be processed according to the related information.
According to a second aspect of one or more embodiments of the present specification, there is provided a blockchain data processing method based on cloud computing, including:
the cloud server obtains a ciphertext request initiated by the blockchain integrated machine, and decrypts the ciphertext request in a maintained trusted execution environment to obtain a plaintext request so as to read related information for data to be processed, wherein the related information is contained in the plaintext request;
And the cloud server executes related operations for the data to be processed according to the related information and returns execution results corresponding to the related operations to the blockchain all-in-one machine.
According to a third aspect of one or more embodiments of the present specification, there is provided a blockchain data processing device based on cloud computing, including:
the request initiating unit enables the blockchain all-in-one machine to initiate a ciphertext request to the cloud server, the ciphertext request is decrypted by the cloud server in a maintained trusted execution environment to obtain a plaintext request, and the plaintext request contains relevant information aiming at data to be processed;
and the result acquisition unit is used for enabling the blockchain all-in-one machine to acquire an execution result returned by the cloud server, wherein the execution result is obtained by the cloud server executing related operation on the data to be processed according to the related information.
According to a fourth aspect of one or more embodiments of the present specification, there is provided a blockchain data processing device based on cloud computing, including:
the request acquisition unit is used for enabling the cloud server to acquire a ciphertext request initiated by the blockchain integrated machine, and decrypting the ciphertext request in a maintained trusted execution environment to obtain a plaintext request so as to read related information for data to be processed, wherein the related information is contained in the plaintext request;
And the execution unit is used for enabling the cloud server to execute related operations for the data to be processed according to the related information and returning an execution result corresponding to the related operations to the blockchain all-in-one machine.
According to a fifth aspect of one or more embodiments of the present specification, there is provided an electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the method of the first or second aspect by executing the executable instructions.
According to a fourth aspect of one or more embodiments of the present description, there is provided a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method according to the first or second aspect.
Drawings
FIG. 1 is a block chain data processing system architecture diagram based on cloud computing, as provided by an exemplary embodiment.
FIG. 2 is a flowchart of a blockchain data processing method on the side of a blockchain integrator based on cloud computing, in accordance with an exemplary embodiment.
FIG. 3 is an interaction diagram of invoking a cloud server to perform an in-chain computing task, as provided by an example embodiment.
FIG. 4 is an interaction diagram of a pending join blockchain all-in-one applying for joining a target blockchain network in accordance with an exemplary embodiment.
Fig. 5 is a flowchart of a blockchain data processing method based on cloud computing at the cloud server side according to an exemplary embodiment.
Fig. 6 is a schematic diagram of an apparatus according to an exemplary embodiment.
FIG. 7 is a block diagram of a blockchain data processing device based on cloud computing, provided by an exemplary embodiment.
FIG. 8 is a block diagram of another blockchain data processing device based on cloud computing, provided by an exemplary embodiment.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with aspects of one or more embodiments of the present description as detailed in the accompanying claims.
It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.
In the early stage of the development of the blockchain technology, users basically add their own PCs, notebook computers and the like into a blockchain network to become blockchain nodes in the blockchain network. At this time, the system can be called as 1.0 architecture era of a blockchain network, and not only the behavior of joining the blockchain network is the autonomous behavior of a user, but also the user needs to operate and maintain autonomously, such as maintaining and configuring devices such as PCs which join the blockchain network themselves. With the continuous development of blockchain technology, especially the increasing demand of users for high performance, high availability infrastructure, blockchain networks have evolved into the 2.0 architecture age based on cloud services. In the 2.0 architecture era, the Blockchain-as-a-Service (BaaS) Service provides a quick and convenient solution for quick deployment of blockchains and technology landing, and supports a large number of Blockchain Service items. BaaS services are typically built on infrastructure such as public or private clouds, providing powerful deployment capabilities while introducing heavy infrastructure dependencies. While blockchains are a typical distributed computing technology, not all nodes can migrate to the cloud, and require privatization deployment. The additional technical migration and operation and maintenance costs brought by privately-allocated deployment cause the problem that technical interfaces are not uniform and the deployment and maintenance costs are high in the actual landing process. Therefore, in order to meet the demands of users in terms of privacy, security, etc. of the blockchain network, further architecture upgrade needs to be implemented on the blockchain network, so as to implement the 3.0 architecture era based on the blockchain all-in-one machine.
The block chain all-in-one machine can realize soft and hard integration. The publisher not only provides the hardware equipment of the block chain all-in-one machine for the user while publishing the block chain all-in-one machine, but also integrates software configuration for realizing depth optimization of the hardware equipment, thereby realizing the soft and hard integration.
Hardware optimization can be achieved for the blockchain all-in-one machine. For example, a dedicated smart contract processing chip may be deployed on the blockchain all-in-one machine, such as an FPGA (Field Programmable Gate Array ) chip or other type of chip, to increase the processing efficiency for smart contracts. The smart contract processing chip may be deployed with a hardware trust root key, for example, the hardware trust root key may be pre-burned into the smart contract processing chip by a publisher, and the publisher may be able to learn a public key corresponding to the hardware trust root key (e.g., the public key is disclosed). Therefore, the intelligent contract processing chip can send negotiation information to the publisher and sign the negotiation information through the hardware trust root key, so that the publisher can check the signature based on the corresponding public key; and after the signature verification is successful, the intelligent contract processing chip and the publisher can be ensured to respectively negotiate to obtain the same secret key based on the negotiation information. The negotiated key may include a file deployment key based on which the publisher may cryptographically transmit binary image files required by the blockchain node to the smart contract processing chip, and the smart contract processing chip may implement decryption and deploy the binary image files based on the file deployment key. The negotiated key may include a service secret deployment key, the publisher may transmit the node private key, the service root key, etc. of the blockchain node to the intelligent contract processing chip based on the service secret deployment key, and the intelligent contract processing chip may acquire and deploy the node private key, the service root key, etc. based on the service secret deployment key, so as to satisfy the private transaction requirement in the blockchain scenario. For example, the node private key corresponds to the node public key, the client may encrypt the blockchain transaction with the node public key, and the blockchain node may decrypt with the node private key. The service root key is a symmetric key and can be used for encrypting and storing service data such as contract codes, contract state values and the like. The service root key may not be directly used, and the intelligent contract processing chip may encrypt and decrypt the service root key by using the derivative key of the service root key, so as to reduce the security risk of the service root key. By reliably managing the node private key and the service root key (or derivative keys thereof) and ensuring that data are in an encrypted state except for the process of being processed by the intelligent contract processing chip, the intelligent contract processing chip actually forms a hardware TEE (Trusted Execution Environment ) on the blockchain all-in-one machine, and the data requiring privacy protection, such as transaction, contract code, contract state and the like, are ensured not to be subjected to privacy disclosure.
For another example, an intelligent network card may be deployed on a blockchain all-in-one machine. Besides the function of the traditional network card, the intelligent network card can replace or assist the CPU of the blockchain integrated machine to finish partial functions so as to realize the calculation unloading of the CPU. In particular, network I/O intensive operations may be transferred to the intelligent network card for execution by the CPU, which may itself handle more computationally intensive operations such as transaction processing, storage processing, and the like. Because the intelligent network card is closer to the network than other components (e.g., the CPU) on the blockchain integrated machine, both on a physical level and on a logical level, the intelligent network card always takes preference to the data transmitted in the network, and thus processing such data through the intelligent network card without or with little or no memory access can achieve relatively higher processing efficiency, relatively less delay, and relatively greater throughput, thereby achieving relatively higher performance benefits at relatively lower cost. For example, in the consensus algorithm, the intelligent network card can complete the consensus operation without accessing the storage except for the conditions of network state change, node addition and deletion, and consensus configuration change, and the like, and the consensus result is only informed to the CPU without the CPU directly participating in the consensus process, so that the consensus efficiency can be remarkably improved. Similarly, the transaction is forwarded by the intelligent network card, the block synchronization is realized by the intelligent network card on the newly added blockchain node, and the like, and similar effects can be achieved, and the details are not repeated here. In addition, the smart card, upon receipt of the transaction, may identify and filter out replay transactions by comparing with historical transactions, such as from fields of the sender information, destination address, timestamp, hash value, etc. of the transaction. The intelligent network card can also analyze the content of the received transaction, thereby filtering out illegal transaction or predefined transaction which is not wanted to be processed, and the like, and the intelligent network card is used as a supplement to the message filtering based on two layers or three layers, which is realized by the switch.
For another example, a cryptographic acceleration card, also referred to as a high-speed cryptographic card, may be deployed on a blockchain all-in-one machine. The password acceleration card can realize full-encryption memory, resists side channel attack through hardware reinforcement, can realize physical protection aiming at means such as probes, lasers and the like, and has extremely high security. For example, the password acceleration card used on the blockchain all-in-one machine may have a national secret secondary qualification, a national secret tertiary qualification, or other qualifications. When a password acceleration card is deployed, the hardware trust root key can be maintained in the password acceleration card, and the password acceleration card can realize signature operation based on the hardware trust root key and replace or assist the intelligent contract processing chip to complete operations such as key negotiation and the like; similarly, the crypto-acceleration card may be used to maintain a public key such that the crypto-acceleration card may implement a verification operation of the signature based on the maintained public key. In a word, at least one part of operations related to key management, encryption and decryption, signature verification and the like on the blockchain integrated machine can be transmitted to the password acceleration card, so that extremely high security can be obtained, and performance unloading can be realized on a CPU (central processing unit) of the blockchain integrated machine or the intelligent contract processing chip and the like, so that the processing efficiency is improved.
Software optimization can be achieved for the blockchain all-in-one machine. For example, the blockchain all-in-one machine can be internally provided with a certificate authorization service, can realize automatic certificate issuing and node identity authentication, and can automatically build a chain and automatically join the blockchain nodes, thereby realizing plug and play of the blockchain all-in-one machine. Then, the user can quickly implement the deployment of the blockchain all-in-one machine. For example, a private type blockchain network can be quickly established among a plurality of blockchain integrated machines, so that requirements of privacy, security, privacy and the like of users are met. In another example, the blockchain all-in-one machine can integrate a standardized service interface on the cloud, so that the blockchain all-in-one machine can automatically butt-joint the service on the cloud, and therefore mixed deployment between the blockchain all-in-one machine and a cloud server deployed at the cloud is realized, and a mixed blockchain network is constructed. The cloud server can be used as a link node under a blockchain network constructed by the blockchain all-in-one machine, and can also be used as a blockchain node of a cloud end to construct the blockchain network together with the blockchain all-in-one machine. The block chain all-in-one machine can integrate a standardized cross-chain service interface, so that the block chain all-in-one machine can realize cross-chain service based on a standardized cross-chain protocol or a standardized cross-chain service, the application scene of the block chain all-in-one machine is greatly expanded, the cross-chain requirements of users are met, for example, cross-chain data interaction between different block chain networks is realized, for example, cross-chain data interaction between the block chain network and an under-chain computing node (for example, the under-chain computing node shares computing tasks for block chain link points) is realized, and the like.
Aiming at a scene of mixed deployment of a blockchain all-in-one machine and a cloud server, the specification provides a blockchain data processing scheme based on cloud computing. The following description refers to the accompanying drawings.
Referring to FIG. 1, FIG. 1 is a block chain data processing system architecture diagram based on cloud computing, according to an exemplary embodiment. As shown in FIG. 1, the blockchain network 10 may include a blockchain all-in-one 11, a blockchain all-in-one 12, a blockchain all-in-one 13, and a blockchain all-in-one 14, for a total of 4 blockchain all-in-one. Of course, the present description does not limit the number of blockchain integrated machines. The blockchain integrated machines 11 to 14 are all connected to the switch 15, so that the blockchain integrated machines 11 to 14 are actually connected to the same local area network. In addition, the blockchain network 10 may access an on-cloud service (e.g., baaS service described above), such as accessing the cloud server 20; of course, a plurality of cloud servers can be accessed, and the number of cloud servers is not limited in this specification. By interfacing the blockchain network 10 with the on-cloud services, the on-cloud services may provide a high-performance, high-availability infrastructure to the blockchain network 10 through high-performance cloud servers and cloud computing.
Referring to fig. 2, fig. 2 is a flowchart of a blockchain data processing method based on cloud computing on a blockchain integrator side provided by an exemplary embodiment. As shown in fig. 2, the method may include the steps of:
in step 202, the blockchain all-in-one machine initiates a ciphertext request to a cloud server, wherein the ciphertext request is decrypted by the cloud server in a maintained trusted execution environment to obtain a plaintext request, and the plaintext request contains relevant information aiming at data to be processed.
In an embodiment, in order to ensure data security after the blockchain all-in-one machine is connected to the cloud, a TEE may be created on the cloud server. The block chain all-in-one machine initiates a request to the cloud server in a ciphertext mode, and then the cloud server decrypts the ciphertext request in the TEE maintained by the cloud server to obtain a plaintext request, so that data contained in the plaintext request is obtained.
TEE is a trusted execution environment based on a secure extension of CPU hardware and completely isolated from the outside. TEE was originally proposed by Global Platform for resolving secure isolation of resources on mobile devices, providing a trusted and secure execution environment for applications in parallel to the operating system. The current industry is concerned with TEE solutions, and almost all mainstream chip and software alliances have their own TEE solutions, such as TPM (Trusted Platform Module) on software side, intel SGX (Software Guard Extensions, software protection extension) on hardware side, ARM trust zone (trust zone), AMD PSP (Platform Security Processor ), etc. For example, the TEE may be deployed by Intel SGX (hereinafter referred to as SGX) or the above FPGA.
Take Intel SGX (hereinafter referred to as SGX) technology as an example. The cloud server may create an enclave as a TEE for responding to a request initiated by a blockchain all-in-one based on SGX technology. The cloud server may allocate a part of the EPC (Enclave Page Cache, enclosure page cache or enclave page cache) in the memory by using a new processor instruction in the CPU, so as to reside in the enclave. The memory area corresponding to the EPC is encrypted by the memory encryption engine MEE (Memory Encryption Engine) inside the CPU, the content (code and data in the encrypted) in the memory area can be decrypted only in the CPU core, and the key for encrypting and decrypting is generated and stored in the CPU only when the EPC is started. Therefore, the security boundary of the enclave only contains itself and the CPU, no matter whether the software is privileged or non-privileged, the enclave cannot be accessed, even an operating system manager and a VMM (virtual machine monitor, a virtual machine monitor; or called Hypervisor) cannot influence codes and data in the enclave, so that the method has extremely high security, and on the premise of ensuring the security, the CPU can process a request in a plaintext form in the enclave, has extremely high operation efficiency, and therefore, both data security and calculation efficiency are achieved.
In step 204, the blockchain all-in-one machine obtains an execution result returned by the cloud server, wherein the execution result is obtained by the cloud server executing related operations on the data to be processed according to the related information.
In the case of a blockchain kiosk as a blockchain node, the transfer of data from on-chain to off-chain or from off-chain to on-chain may be accomplished through a predictor mechanism. The mechanism of cooperation between the predictor contract and the predictor server is referred to herein as the predictor mechanism. Specifically, the blockchain all-in-one machine may generate an event containing a ciphertext request by invoking (e.g., creating a transaction that invokes the propker contract), and the propker server may listen for the event generated by the propker contract, and when the propker server listens for the event containing the ciphertext request, the propker server reads the ciphertext request from the event and sends the ciphertext request to the cloud server. Similarly, the cloud server may send the execution result to the predictor server, and the predictor server returns the execution result to the predictor contract, so that the blockchain integrated machine obtains the execution result.
In one embodiment, the blockchain network is built by a blockchain all-in-one machine, and the cloud server is an under-chain node with respect to the blockchain network. The architecture of the blockchain network-based decentralization makes each blockchain transaction on the blockchain necessary to be executed on all blockchain nodes in the blockchain network to ensure that the blockchain account data maintained by each blockchain node is consistent. If the transaction logic is simple, such as by taking bitcoin as an example, the blockchain transaction is only used to implement the transfer operation, then even if the blockchain transaction needs to be performed at all blockchain nodes, excessive resource consumption is not incurred. However, if the blockchain provides the functionality of a smart contract, and the blockchain transaction invokes the smart contract, the situation may be quite different. Intelligent contracts on a blockchain are contracts on a blockchain system that can be transactionally triggered to execute, and the intelligent contracts can be defined in the form of code.
Taking the ethernet as an example, support users create and invoke some complex logic in the ethernet network, which is the biggest challenge for ethernet to distinguish from the bitcoin blockchain technology. At the heart of the ethernet as a programmable blockchain is an Ethernet Virtual Machine (EVM), which can be run by each ethernet node. The EVM is a graphics-complete virtual machine, meaning that various complex logic can be implemented by it. The intelligent contracts issued and invoked by the user in the ethernet are run on the EVM. In practice, the virtual machine runs directly on virtual machine code (virtual machine bytecode, hereinafter "bytecode"). The intelligent convergence is divided into two stages of deployment and invocation.
In the deployment phase, the user sends a transaction containing information to create a smart contract to the ethernet network, the data field of the transaction containing the code (e.g., bytecode) of the smart contract, the to field of the transaction being empty. Each node in the ethernet network performs this transaction through the EVM and generates a corresponding contract instance, respectively. After agreement is reached between nodes through a consensus mechanism, the intelligent contracts corresponding to the transactions are successfully created, a contract account corresponding to the intelligent contracts appears on the blockchain, the contract account has a specific contract address, a contract code (namely, the code of the intelligent contracts) or a hash value of the contract code is stored in the contract account, and the contract code is used for controlling the behavior of the corresponding intelligent contracts.
In the calling phase, the user (which may be the same as or different from the user deploying the smart contract) sends a transaction for calling the smart contract to the ethernet network, the from field of the transaction is the address of the external account corresponding to the user, the to field is the contract address of the smart contract to be called, and the data field contains the method and parameters for calling the smart contract. After the nodes agree with each other through a consensus mechanism, the intelligent contract called by the transaction statement is independently executed on each node of the Ethernet network in a specified mode, and all execution records and data are stored on the blockchain, so that after the transaction is completed, transaction certificates which cannot be tampered and lost are stored on the blockchain.
As previously mentioned, EVM is a graphics-complete virtual machine; similarly, other blockchains may employ other types of virtual machines, such as WASM (WebAssembly) virtual machines, and the like. In summary, when a transacted smart contract is used to implement relatively complex logic, the process of executing the code of the smart contract by a node through a virtual machine consumes relatively much computing resources, and since all nodes within a blockchain network need to execute the code of the smart contract, the consumption of computing resources increases exponentially as the number of nodes increases. Thus, while combining TEE technology can relatively reduce the resource consumption of individual blockchain nodes and increase the efficiency of transaction execution, significant resource consumption and waste still result from the overall blockchain network.
In view of the above, cloud servers may be deployed at the cloud as an under-chain node with respect to the blockchain network, so that the computation operations that would otherwise need to be performed on all blockchain nodes are transferred to the under-chain node for execution, the blockchain nodes only need to acquire the computation results from the under-chain nodes and update the blockchain ledger data based on the computation results, and it may be proved based on a verifiable computation (Verifiable Computation) technique that the computation results are actually performed as expected within the TEE, while the cloud servers are under-chain nodes, and the same computation operations do not need to be performed by all cloud servers as the blockchain nodes, so that the resource consumption on the chain can be reduced while ensuring the reliability. As previously described, by deploying the intelligent contract at the blockchain node, the blockchain node may execute the code of the intelligent contract to achieve the corresponding computing needs; similarly, code for performing computing tasks may be deployed at the off-chain nodes such that the off-chain nodes may execute the code to achieve the corresponding computing needs. For ease of understanding, in this specification, contracts deployed at blockchain nodes are referred to as on-chain contracts, and contracts deployed at off-chain nodes are referred to as off-chain contracts; of course, whether an on-link or an off-link contract is essentially a piece of code that can be executed within a virtual machine.
Based on the cloud server with the TEE created thereon, an under-chain contract may be pre-deployed on the cloud server and a WASM virtual machine may be deployed within the TEE created by the cloud server. When a calculation task based on the WASM program is initiated to the cloud server, the cloud server can read the downlink contract into the TEE and compile the downlink contract into WASM byte codes, the WASM virtual machine is used as an execution engine, and the compiled WASM byte codes are executed in the WASM virtual machine. In this scenario, the ciphertext request (or plaintext request) is a request for invoking an under-link contract, the data to be processed is data to be calculated, and the related information includes the data to be calculated and a contract address of the under-link contract for calculating the data to be calculated. Then, the cloud server may determine an under-link contract deployed by itself according to the contract address, read the data to be calculated and the determined under-link contract into the TEE, and compile the under-link contract into a bytecode, so that the bytecode is executed by an execution engine deployed in the TEE to calculate the data to be calculated.
For ease of understanding, the process of invoking a cloud server to perform an in-chain computing task is described in detail below in connection with the example and FIG. 3.
Referring to fig. 3, fig. 3 is an interaction diagram of invoking a cloud server to perform an off-chain computing task according to an exemplary embodiment. As shown in fig. 3, the interaction process may include the steps of:
In step 302, the blockchain all-in-one generates a contract validation event.
In this embodiment, the blockchain all-in-one machine is used as a blockchain node in the blockchain network, and before invoking a cloud server under the chain to execute a computing task, whether a downlink contract deployed on the cloud server is trusted or not can be verified a priori. And for the block chain node and the cloud server under the chain, the data transfer can be realized through a predictor mechanism.
In step 304, the propulsor server listens for contract validation events.
In step 306, the predictor server sends challenge information to the cloud server.
In step 308, the cloud server obtains contract information for the deployed under-link contract.
In step 310, the cloud server returns a remote attestation report and contract information to be verified to the propulsor server.
At step 312, the propulsor server returns a remote attestation report and contract information to be verified to the blockchain all-in-one.
In this embodiment, the blockchain all-in-one machine may invoke a pre-deployed prophetic contract that may generate a contract verification event that includes the challenge information, and the prophetic server may obtain the challenge information by listening for an event generated by the prophetic contract and send the challenge information to the cloud server through an off-link channel. After receiving the challenge information, the cloud server may acquire a remote attestation report for the TEE deployed by itself and contract information (as contract information to be verified) for the under-link contract deployed by itself, respectively.
Taking Intel SGX technology as an example, TEE is an enclaspe created on a cloud server and used for implementing under-chain computation, and the remote attestation process also involves another special enclaspe on the cloud server, namely, QE (QE for short), which is an architecture enclave (Architectural Enclave) provided and signed by Intel. The REPORT structure for local authentication needs to be generated first, and the QE verifies whether the REPORT is on the same platform as itself based on the REPORT structure, and then the QE encapsulates the REPORT structure into a structure QUOTE (i.e. self-recommendation information), and signs the REPORT with the EPID (enhanced privacy identification) key. The EPID key not only represents the platform of the cloud server, but also represents the credibility of the bottom hardware of the cloud server, and can also bind information such as the version of the processor firmware, and only the QE can access the EPID key for signing the above-mentioned structural body QUOTE. In the SGX technology, the authentication server may be a IAS (Intel Attestation Service) server provided by intel corporation, and the cloud server sends the signed structure QUOTE to the IAS server, so that the IAS server may verify the signature and return a corresponding remote proof report to the cloud server.
After the cloud server creates the TEE, it generates referral information for implementing remote attestation, which may be used to anchor and solidify the TEE information, so that the resulting remote attestation report containing the referral information may be used to characterize the TEE's status and to verify whether the TEE is authentic. For example, the self-recommendation information may include a first hash value to be verified, where the first hash value to be verified is a hash value of preset information in the TEE, for example, the preset information may include all codes deployed in the TEE, a public key of a developer of the TEE, and so on. Taking Intel SGX technology as an example, the hash value generated corresponding to all code deployed within the TEE is MREnclave, the hash value generated corresponding to the public key of the developer of the TEE is MRSigner, i.e., the first hash value to be verified may include MREnclave and MRSigner.
Still taking Intel SGX technology as an example. As described above, after the cloud server sends the signed fabric QUOTE to the IAS server, the IAS server performs signature verification according to the maintained public key set, and returns a remote attestation report (i.e., AVR report) to the cloud server, where the remote attestation report includes: the structure QUOTE and signature verification result, and the IAS server signs the remote attestation report with its own private key.
Accordingly, after the blockchain integrated machine obtains the remote proof report, the remote proof report can be firstly subjected to signature verification according to the public key of the IAS server, and if the verification is passed, the remote proof report is indicated to be actually generated by the IAS server, and the data is not tampered or lost in the data transmission process. The blockchain kiosk may obtain the public key of the IAS server through any means, such as when a remote attestation report is provided to the blockchain kiosk, and may also associate the certificate chain that provides the IAS so that the blockchain kiosk may extract the public key of the IAS server from the certificate chain. The blockchain all-in-one may then extract the structure quate and signature verification results from the remote attestation report. The blockchain all-in-one machine can check the signature verification result first, if the signature verification result is that verification is passed, the CPU of the cloud server holds a private key provided by Intel, so that the TEE is established on a reliable hardware platform, and other verification operations can be continuously executed; if the signature verification result is that the verification is not passed, the blockchain all-in-one machine can judge that the cloud server is unreliable, and other verification operations are not required to be continued. The blockchain all-in-one machine may then extract the above-described hash values MREnclave and MRSIgner, i.e., MREnclave and MRSIgner to be checked, from within the structure QUOTE; meanwhile, the blockchain all-in-one machine obtains the first standard hash value of the preset information of the TEE in advance, such as trusted values of the mrenclasvs and the mrsigners (hereinafter referred to as trusted mrenclasvs and trusted mrsigners), compares the mrenclasvs to be checked with the trusted mrenclasvs, and compares the mrsigners to be checked with the trusted mrsigners. Then, the blockchain all-in-one machine can take "MREnclave to be checked is consistent with trusted MREnclave, and MRSIgner to be checked is consistent with trusted MRSIgner" as a precondition for confirming that the TEE is trusted; in other words, if the MREnclave to be checked is inconsistent with the trusted MREnclave or the MRSIgner to be checked is inconsistent with the trusted MRSIgner, the blockchain integrated machine determines that the TEE of the cloud server is not trusted, and if all preconditions set by the blockchain integrated machine are satisfied, the TEE of the cloud server can be confirmed to be trusted. In addition, the operation of verifying the signature verification result by the blockchain all-in-one machine and the operation of verifying the MREnclave to be verified and the MRSIGner to be verified do not have a necessary sequence, and the two operations can be completely independent.
In step 314, the blockchain all-in-one performs signature verification and contract information verification.
Under the condition that the TEE of the cloud server is determined to be trusted according to the remote proof report, the blockchain all-in-one machine acquires contract information to be verified of an under-chain contract deployed at the cloud server, the contract information to be verified is signed by the cloud server in the TEE by adopting an identity private key of the cloud server, and the identity private key is generated in the TEE by the cloud server and maintained in the TEE. For example, the cloud server may read the deployed under-link contract into the TEE and sign with its own identity private key.
The block chain all-in-one machine adopts an identity public key of the cloud server to conduct signature verification on contract information to be verified, and conducts contract information verification on the contract information to be verified according to contract information of the under-chain contracts. The identity public key is in a public state, for example, the cloud server issues the identity public key in an outward public manner so as to be acquired by the blockchain all-in-one machine. Meanwhile, the contract information of the under-link contract can also be in a public state, such as the contract information is published out of the deployment direction of the under-link contract so as to be acquired by the blockchain all-in-one machine. The contract information may include, but is not limited to, name, description, version number, byte code hash value, contract identity public key, etc. of the under-link contract.
In the case that the signature verification and the contract information verification pass, the blockchain all-in-one may determine that the blockchain all-in-one is executed in the TEE by the cloud server when a call is initiated to the under-chain contract by the predictor mechanism. In the present description, the process of verifying the under-link contract is that the TEE of the cloud server is trusted, if the verification signature obtains that the under-link contract information provided by the cloud server is actually signed by the identity private key (maintained in the TEE) of the cloud server under the condition that the TEE of the cloud server is trusted, it can be determined that the under-link contract of the current challenge is the under-link contract running in the TEE of the cloud server, and then under the condition that the under-link contract information to be verified further passes the verification, it is indicated that the under-link contract running in the TEE of the cloud server is correct, so that the under-link contract disposed in the cloud server can be finally determined to be trusted, and the computing task can be executed as expected.
In step 316, the client submits the transaction to the blockchain all-in-one machine.
In one case, the encrypted call request is directly included in the transaction submitted by the client, so that the blockchain integrated machine can decrypt the transaction in the TEE maintained by the blockchain integrated machine to obtain the ciphertext request, and then the blockchain integrated machine can transmit the ciphertext request to the cloud server through a predictor mechanism.
In another case, the transaction submitted by the client includes initial data (or description information of the initial data, for example, the description information may be a storage address), and then the blockchain all-in-one machine may process the initial data by executing an on-link contract to obtain corresponding parameter entering data (i.e. data to be processed), and after the on-link contract is executed, the contract address and the parameter entering data of the off-link contract may be packaged into a call request and the call request may be encrypted. Alternatively, the client-generated transaction may include descriptive information for the initial data. Because the client may not directly add the in-parameter data to the transaction, the client is transparent to the process of invoking the under-chain contract to perform the under-chain computation, and the client only needs to obtain the feedback computation result, without paying attention to whether the invoked contract is on-chain or off-chain.
It should be noted that, for the encrypted transmission of the call request, a form of symmetric encryption, asymmetric encryption or a combination of symmetric encryption and asymmetric encryption may be adopted, so as to ensure that the content of the call request is not revealed in the transmission process. This part of the content is referred to the application in the related art and will not be described in detail herein.
In step 318, the blockchain all-in-one generates a contract invocation event.
At step 320, the propulsor server listens for contract invocation events.
In step 322, the propranker server sends a call request to the cloud server.
In this embodiment, after verifying that the downlink contracts deployed on the cloud server are trusted through the above steps, the blockchain all-in-one machine transfers the computing task to the cloud server for execution. Specifically, the blockchain integrated machine initiates a call request to the cloud server through a predictor mechanism, and the cloud server feeds back a calculation result through the predictor mechanism. For example, the blockchain all-in-one generates a contract invocation event that includes a invocation request. When the predictor server monitors the contract calling event, a calling request contained in the contract calling event is read and sent to the cloud server to be decrypted in the maintained TEE by the cloud server to respond.
In step 324, the cloud server invokes the under-chain contract to perform the computing task.
In step 326, the cloud service returns the calculation result to the predictor server.
In step 328, the predictor server returns the calculation to the blockchain all-in-one.
After the blockchain all-in-one machine (serving as a blockchain node) acquires the calculation result, the calculation result can be broadcast in the blockchain network so that all the blockchain nodes acquire the calculation result, and then the blockchain ledger is updated according to the calculation result.
In step 330, the blockchain all-in-one returns the calculation result to the client.
In the above embodiment, the cloud server performs the computing task as an under-chain node instead of a block link point. In addition, the cloud server can also be used as a cross-chain proxy service node to be in butt joint with a plurality of different blockchain networks for realizing cross-chain data access.
In this scenario, the ciphertext request (or plaintext request) is a cross-chain data access request, the data to be processed is data to be accessed, the data to be processed is stored in other blockchain networks different from the blockchain network in which the blockchain all-in-one machine is located, and the related information includes address information of the data to be processed. Then, the cloud server, as a cross-chain proxy service node, can respond to the cross-chain data access request, perform cross-chain access to the other blockchain networks according to the address information to obtain the data to be accessed, and return the data to be accessed to the blockchain all-in-one machine. The cloud server may be used as a cross-chain relay to access data in the blockchain network according to a cross-chain technology (such as a side chain technology, a notary technology, etc., which is not limited in the present specification) in the related art, and will not be described herein.
In the blockchain data processing scheme based on cloud computing in the specification, a cloud server can be used as a CA (Certificate Authority ) authorization node to sign digital certificates to blockchain all-in-one machines allowed to join a blockchain network besides being used as an under-chain node and a cross-chain proxy service node. It should be noted that, the cloud server may be compatible with the functions of the three roles of the under-link node, the cross-link proxy service node and the CA authorization node, or may be implemented by different cloud servers respectively. In other words, the cloud server may take on at least one of the three roles of the under-chain node, the cross-chain proxy service node, and the CA authorization node described above.
Under the condition that the cloud server serves as a CA authorization node, the data to be processed comprise a second identity public key of the blockchain integrated machine which is applied to join the blockchain network, and the related information comprises second description information of the blockchain integrated machine.
The cloud server can be internally provided with a certificate authority service, namely a CA service, which is equivalent to a CA certificate authority center capable of configuring the cloud server as a blockchain network, so as to autonomously realize certificate issuing. After the cloud server starts the CA service, a Root CA Cert may first be generated for itself based on the CA service and broadcast within the blockchain network such that blockchain nodes within the blockchain network may acquire the Root certificate.
The CA service needs to use an identity key to the cloud server when issuing the certificate. Assume that a cloud server creates a first identity key, which specifically includes a first identity private key and a corresponding first identity public key. Further, the cloud server provides the first identity private key to the CA service, so that the CA service signs the first identity public key and the first description information of the cloud server through the first identity private key to generate the root certificate. Because the cloud server is a digital certificate generated by signing the public key of the cloud server by using the private key of the cloud server, the digital certificate corresponding to the cloud server is a root certificate or a self-signed certificate.
The cloud server needs to properly maintain the first identity private key, but can optionally disclose the first identity public key. Of course, the first identity public key is actually included in the root certificate, so that after receiving the root certificate, the blockchain node in the blockchain network can acquire the first identity public key from the root certificate, and perform signature verification on the root certificate through the first identity public key, and if verification is successful, the blockchain node can determine that the root certificate is valid. Similarly, the blockchain all-in-one machine which does not join the blockchain network can acquire a root certificate of the cloud server (for example, request to acquire from the cloud server or acquire through broadcasting of the cloud server), acquire a first identity public key from the root certificate, and perform signature verification on the root certificate through the first identity public key, if verification is successful, confirm that the cloud server is a CA authorized node, and further apply to join the blockchain network from the cloud server and acquire a corresponding digital certificate.
Similar to the cloud server, a blockchain all-in-one (hereinafter referred to as a blockchain all-in-one to be joined) that applies for joining a blockchain network also creates its own identity key. Assuming that the blockchain to be added has created a second identity key, the second identity key specifically includes a second identity private key and a second identity public key, and the authentication application initiated by the blockchain to be added may include the second identity public key of the blockchain to be added (i.e., the data to be processed) and the description information of the blockchain to be added (i.e., the related information). The second identity private key needs to be properly maintained for the blockchain all-in-one to be added. Correspondingly, after the cloud server provides the received authentication application to the CA service, the CA service can sign the second identity public key, the second description information of the to-be-added blockchain integrated machine and the first description information of the cloud server through the first identity private key so as to generate a digital certificate corresponding to the to-be-added blockchain integrated machine.
The digital certificate corresponding to the cloud server is signed by the first identity private key of the cloud server, so that the first identity public key can be directly obtained from the digital certificate, and signature verification is completed. The digital certificate corresponding to the blockchain all-in-one machine is signed by the first identity private key of the first blockchain all-in-one machine, but the public key contained in the digital certificate is the second identity public key corresponding to the blockchain all-in-one machine, the root certificate is required to be obtained according to the first description information of the cloud server contained in the digital certificate, and the signature contained in the digital certificate corresponding to the blockchain all-in-one machine is verified through the first identity public key contained in the root certificate, so that a chained relation, namely a certificate chain, is formed between the digital certificate corresponding to the cloud server and the digital certificate corresponding to the blockchain all-in-one machine, wherein the digital certificate corresponding to the cloud server is in the position of a root, and therefore the digital certificate can be called as the root certificate.
The cloud server can verify the second description information of the blockchain all-in-one machine to be added before generating the digital certificate of the blockchain all-in-one machine to be added, so that the digital certificate is generated under the condition that the verification is passed, namely, whether the blockchain all-in-one machine to be added is allowed to be added into the blockchain network is judged by verifying the second description information. And under the condition that the verification is not passed, indicating that the authentication of the blockchain integrated machine to be added fails, and not executing the operation of generating the digital certificate for the blockchain integrated machine to be added.
In addition, the blockchain node in the current blockchain network can participate in the process of judging whether to allow the blockchain all-in-one machine to be added to the blockchain network. As an exemplary embodiment, the cloud server may send second description information of the blockchain to-be-added blockchain all-in-one machine to the target blockchain network, so as to determine whether to allow the blockchain to-be-added blockchain all-in-one machine to join the target blockchain network according to the second description information by the blockchain node in the target blockchain network, and accordingly, in the case that the determination is allowed, an application adding confirmation message for the blockchain to-be-added all-in-one machine is generated based on the second description information and returned to the cloud server. Then, the cloud server may generate a digital certificate for the blockchain all-in-one to be joined in the case that the request to join the confirmation message is acquired. Meanwhile, the blockchain node in the target blockchain network can store second description information of the blockchain all-in-one machine to be added so as to be used for verifying the digital certificate provided by the blockchain all-in-one machine to be added when the subsequent blockchain all-in-one machine to be added is added into the target blockchain network. For example, the blockchain node may maintain a node information list into which description information of blockchain all-in-one machines allowed to join the target blockchain network is recorded. Alternatively, the cloud server may send the second description information of the blockchain in-one to be added to the target blockchain network in the form of a commit transaction, so that the second description information of the blockchain in-one to be added is recorded in a block of the target blockchain network.
As can be seen, the preconditions for the cloud server to generate the digital certificate for the blockchain all-in-one to be added may include: and the cloud server verifies the second description information of the joining blockchain all-in-one machine, and/or the target blockchain network generates an application joining confirmation message aiming at the blockchain all-in-one machine to be joined based on the second description information sent by the cloud server. Of course, the specific form of the precondition can be flexibly selected according to actual requirements, and the specification is not limited thereto.
By means of the above manner of generating the digital certificate, the digital certificate issued by the CA service may be used to indicate that: the device corresponding to the digital certificate has passed the identity authentication of the CA service. Thus, by verifying a digital certificate provided by a particular blockchain initiator, the blockchain initiator may be determined to be a blockchain node within the blockchain network after the verification is passed. In other words, the digital certificate of any blockchain all-in-one machine is verified by any blockchain node in the target blockchain network by using the root certificate, and the digital certificate is used by any blockchain node as a precondition for determining that the any blockchain all-in-one machine joins the target blockchain network.
Specifically, a blockchain node in the blockchain network can receive a digital certificate to be verified sent by the blockchain all-in-one machine to be added, and perform signature verification on the digital certificate to be verified according to a first identity public key contained in a root certificate, so that the digital certificate to be verified is determined to be issued by a CA service started on a cloud server under the condition that the signature verification is successful. Further, the digital certificate to be verified includes second description information of the blockchain all-in-one machine to be added, and the blockchain link point in the blockchain network stores the description information of the blockchain all-in-one machine allowed to be added to the blockchain network, so that whether the second description information included in the digital certificate to be verified belongs to the description information of the blockchain all-in-one machine allowed to be added to the blockchain network can be judged, and when the second description information included in the digital certificate to be verified belongs to the description information of the blockchain all-in-one machine allowed to be added to the blockchain network (at the moment, the blockchain all-in-one machine corresponding to the digital certificate to be verified passes verification of the digital certificate to be verified) is determined as the blockchain node in the blockchain network.
For ease of understanding, the process of applying for joining a target blockchain network to a joining blockchain all-in-one machine is described in detail below in connection with the example and FIG. 4.
Referring to fig. 4, fig. 4 is an interaction diagram of a to-be-added blockchain all-in-one machine applying for adding to a target blockchain network according to an exemplary embodiment. As shown in fig. 4, the interaction process may include the steps of:
in step 402, the cloud server 42 initiates a CA service.
In step 404, the cloud server 42 generates and broadcasts a root certificate.
Cloud server 42 may generate an identity key, such as a first identity key, which may include a first identity private key and a first identity public key. Then, the cloud server 42 generates a root certificate through the CA service. Specifically, the CA service may sign the first identity public key and the description information of the cloud server 42 through the first identity private key to generate a digital certificate corresponding to the cloud server 42, that is, the root certificate described above. After generating the root certificate, cloud server 42 broadcasts the root certificate to the target blockchain network to save the root certificate by each blockchain node in the target blockchain network. The description information of the cloud server 42 may include ID information, a product serial number, an IP address, a MAC address, etc., which is not limited in this specification.
The following description will take as an example the blockchain node 43 and the blockchain node 44 in the target blockchain network.
In step 406A, the blockchain node 43 validates and saves the root certificate.
In step 406B, the blockchain node 44 validates and saves the root certificate.
The blockchain node 43 and the blockchain node 44 can perform signature verification through the first identity public key contained in the root certificate, and determine that the root certificate passes verification if the signature verification is successful, so as to save the root certificate.
In step 408, the blockchain all-in-one 41 generates and transmits an authentication application to the cloud server 42.
The blockchain all-in-one machine 41 serves as a blockchain all-in-one machine to be added, and requests the CA service on the cloud server 42 to issue a digital certificate for the blockchain all-in-one machine 41 by generating and transmitting an authentication application. Among other things, similar to cloud server 42, blockchain all-in-one 41 may generate an identity key, such as a second identity key, which may include a second identity private key and a second identity public key. The authentication application generated by the blockchain all-in-one 41 may include the second identity public key and descriptive information of the blockchain all-in-one 41. The description information of the blockchain integrated machine may include ID information, a product serial number, an IP address, a MAC address, etc., so long as the description information can be used to prove the identity of the blockchain integrated machine, which is not limited in this specification.
In step 410, the cloud server 42 broadcasts description information of the blockchain all-in-one 41.
At step 412A, the blockchain node 43 returns an apply for joining confirmation message to the cloud server 42.
At step 412B, the blockchain node 44 returns an apply for joining acknowledgement message to the cloud server 42.
The blockchain node in the current blockchain network can participate in the process of judging whether to allow the blockchain all-in-one to be added to the blockchain network. Accordingly, the cloud server 42 may send the description information of the blockchain in-machine 41 to the target blockchain network to determine whether to allow the blockchain in-machine 41 to join the target blockchain network according to the description information, so that if the determination is allowed, a corresponding request to join confirmation message is returned to the cloud server 42 to inform the cloud server 42 that the target blockchain network agrees to the blockchain in-machine 41 to join. Meanwhile, the blockchain node in the target blockchain network may save the description information of the blockchain in-tegaseur 41 for verifying the digital certificate provided by the blockchain in-tegaseur 41 when the subsequent blockchain in-tegaseur 41 joins the target blockchain network. For example, the blockchain node may maintain a node information list into which description information of blockchain all-in-one machines allowed to join the target blockchain network is recorded. For example, the node information list records the IP address of the blockchain all-in-one machine allowed to join the target blockchain network, which is not limited in this specification.
In one case, the operation of determining whether to allow the blockchain all-in-one 41 to join the target blockchain network may be performed by a master node in the target blockchain network. For example, a blockchain node in the target blockchain network may determine one or more master nodes by election. The present disclosure is not limited to the election rule adopted, for example, the block link points of the first n access networks may be identified as the master node according to the order of the access networks, and then, for example, n block link nodes identified as the master node may be selected from large to small or from small to large according to the size of the IP address, where n is a positive integer.
In another case, it may be determined by all accounting-enabled nodes in the target blockchain network whether to allow blockchain all-in-one 41 to join the target blockchain network. Taking the instance of a federated chain, it may be decided by all federated members in common whether to allow the blockchain initiator 41 to join the target blockchain network. For example, the cloud server may determine that the target blockchain network allows the blockchain in-machine 41 to join the target blockchain network only if the federation member satisfying the preset proportion allows the blockchain in-machine 41 to join the target blockchain network. Of course, the specific value of the preset proportion can be flexibly set according to the actual situation, and the specification is not limited to this.
In step 414, cloud server 42 validates the descriptive information and generates a digital certificate.
The cloud server 42 may verify the description information of the blockchain integrated machine 41 through the CA service before generating the digital certificate of the blockchain integrated machine 41, so as to generate the digital certificate if the verification passes, that is, determine whether to allow the blockchain integrated machine 41 to join the blockchain network by verifying the description information of the blockchain integrated machine 41. And if the verification is not passed, it indicates that the blockchain integrated machine 41 fails to authenticate, and the operation of generating the digital certificate for the blockchain integrated machine 41 is not performed.
Specifically, the CA service may sign the second identity public key, the description information of the blockchain all-in-one 41, and the description information of the cloud server 42 through the first identity private key to generate a digital certificate corresponding to the blockchain all-in-one 41. Here, the description information of the cloud server 42 employed in signing may not coincide with the description information of the blockchain integrated machine 41, for example, may respectively contain different types of description information, depending on rules set by the CA service. Also, the description information of the blockchain integrated machine 41 included in the authentication application may not be consistent with the description information of the blockchain integrated machine 41 used in signing, for example, the description information used in signing may be only a part of the description information included in the authentication application, and particularly, a part of the description information which is not suitable for disclosure (for example, related to privacy) may be excluded, and for example, the description information used in signing may be a hash value of the description information included in the authentication application, so that the digital certificate can completely correspond to the description information included in the authentication application, and it may be avoided that the description information which is not suitable for disclosure is disclosed by the digital certificate.
It should be noted that, the specific manner of determining whether to allow the blockchain all-in-one machine 41 to join the target blockchain network by the target blockchain network and the cloud server 42 according to the description information may be flexibly set according to practical situations, which is not limited in this specification. For example, whether to allow the blockchain initiator 41 to join the target blockchain network may be determined by means of a blacklist (recording descriptive information of blockchain initiators that are not allowed to join the target blockchain network).
In step 416, the cloud server 42 returns the digital certificate to the blockchain all-in-one 41.
At step 418, the blockchain all-in-one 41 broadcasts a digital certificate to the target blockchain network.
In step 420A, the blockchain node 43 verifies the digital certificate, adding as a blockchain node.
At step 420B, the blockchain node 44 verifies the digital certificate, adding as a blockchain node.
The illustrative example of a blockchain all-in-one 43, the blockchain node 44 is similar. After receiving the digital certificate broadcast by the blockchain all-in-one machine 41, the blockchain node 43 takes the digital certificate as a digital certificate to be verified, and performs signature verification on the digital certificate to be verified according to a first identity public key contained in a root certificate of the cloud server 42, so that the digital certificate to be verified is determined to be issued by a CA service started on the cloud server under the condition that the signature verification is successful. Further, the digital certificate to be verified includes the description information of the blockchain all-in-one machine 41, and the node information list of the blockchain all-in-one machine 43 records the description information of the blockchain all-in-one machine which is allowed to join the blockchain network, so as to query whether the description information included in the digital certificate to be verified is recorded in the node information list. When the description information contained in the digital certificate to be verified is recorded in the node information list (when verification on the digital certificate to be verified is passed), the blockchain all-in-one machine (namely, the blockchain all-in-one machine 41) corresponding to the digital certificate to be verified is determined to be a blockchain node in the blockchain network.
Corresponding to the embodiment of the blockchain integrated machine side described above, the present specification also proposes an embodiment of the cloud server side, and the description involved in the embodiment of the blockchain integrated machine side may be equally applicable to the embodiment of the cloud server side, which will not be described in detail below.
Accordingly, fig. 5 is a flowchart of a blockchain data processing method based on cloud computing at the cloud server side according to an exemplary embodiment. As shown in fig. 5, the method may include the steps of:
in step 502, a cloud server obtains a ciphertext request initiated by a blockchain all-in-one machine, and decrypts the ciphertext request in a maintained trusted execution environment to obtain a plaintext request, so as to read related information for data to be processed included in the plaintext request.
And step 504, the cloud server executes related operations for the data to be processed according to the related information, and returns execution results corresponding to the related operations to the blockchain all-in-one machine.
As described above, the cloud server has an under-link contract deployed thereon in advance, and the related information includes the data to be processed and a contract address of the under-link contract for processing the data to be processed. In this case, the cloud server may first determine an under-link contract deployed on the cloud server according to the contract address, and read the data to be processed and the under-link contract into the trusted execution environment; and then executing the chain contract through an execution engine deployed in the trusted execution environment to calculate the data to be processed.
As described above, the cloud server provides the blockchain all-in-one machine with a remote attestation report for the trusted execution environment, the remote attestation report being generated after the authentication server verifies the self-recommendation information generated by the cloud server for the trusted execution environment; the cloud server provides contract information to be verified of the under-chain contract for the blockchain all-in-one machine, the contract information to be verified is signed by the cloud server in the trusted execution environment by adopting an identity private key of the cloud server, and the identity private key is maintained in the trusted execution environment by the cloud server;
and the blockchain all-in-one machine performs signature verification on the contract information to be verified by adopting an identity public key of the cloud server under the condition that the trusted execution environment is determined to be trusted according to the remote proof report, performs contract information verification on the contract information to be verified according to the contract information of the contract under the chain, and determines that the contract under the chain is trusted under the condition that the signature verification and the contract information verification are both passed.
As described above, the data to be processed is stored in another blockchain network different from the blockchain network in which the blockchain integrated machine is located, and the related information includes address information of the data to be processed. In this case, the cloud server may cross-chain access the pending data authenticated in the other blockchain network according to the address information.
As described above, the cloud server signs the first identity public key of the cloud server and the first description information of the cloud server through the first identity private key of the cloud server to generate a root certificate;
the data to be processed comprises a second identity public key of the blockchain integrated machine, and the related information comprises second description information of the blockchain integrated machine. In this case, the cloud server may sign the second identity public key, the first description information, and the second description information of the blockchain all-in-one machine with the first identity private key to generate a digital certificate corresponding to the blockchain all-in-one machine; the digital certificate of any blockchain all-in-one machine is verified by any blockchain node in a target blockchain network by adopting the root certificate, and the digital certificate is used as a precondition for judging that the any blockchain all-in-one machine joins the target blockchain network by the any blockchain node.
As previously described, the cloud server may verify the second description information to generate the digital certificate if the verification passes.
As described above, the cloud server may send the second description information of the blockchain all-in-one machine to the target blockchain network to generate the digital certificate when acquiring the request for joining confirmation message for the blockchain all-in-one machine generated by the target blockchain network based on the second description information.
As previously described, the second descriptive information is used to verify the digital certificate of the blockchain all-in-one machine.
As described above, the cloud server may obtain the ciphertext request initiated by the blockchain all-in-one machine through a predictor mechanism. Specifically, the cloud server receives a ciphertext request sent by a predictor server and obtained from an event monitored at a predictor contract, wherein the event is generated by the blockchain all-in-one machine through calling the predictor contract. Similarly, the cloud server returns the execution result to the predictor server, and the execution result is transmitted to the predictor contract by the predictor server.
Fig. 6 is a schematic block diagram of an apparatus provided in an exemplary embodiment. Referring to fig. 6, at the hardware level, the device includes a processor 602, an internal bus 604, a network interface 606, a memory 608, and a non-volatile storage 610, although other hardware required by other services is possible. The processor 602 reads a corresponding computer program from the nonvolatile memory 610 into the memory 608 and then runs to form a blockchain data processing device based on cloud computing on a logic level. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.
Referring to fig. 7, in a software implementation, the blockchain data processing device based on cloud computing may include:
the request initiating unit 71 causes the blockchain all-in-one machine to initiate a ciphertext request to the cloud server, wherein the ciphertext request is decrypted by the cloud server in a maintained trusted execution environment to obtain a plaintext request, and the plaintext request contains relevant information aiming at data to be processed;
and a result obtaining unit 72, configured to enable the blockchain integrated machine to obtain an execution result returned by the cloud server, where the execution result is obtained by the cloud server performing a related operation on the data to be processed according to the related information.
Optionally, the cloud server is pre-deployed with an under-link contract, and the related information includes the data to be processed and a contract address of the under-link contract for processing the data to be processed; and the execution result is obtained by the cloud server executing the under-chain contract corresponding to the contract address through an execution engine deployed in the trusted execution environment so as to calculate the data to be processed.
Optionally, the method further comprises:
an information acquisition unit 73 configured to cause the blockchain integrated machine to acquire a remote certification report for the trusted execution environment, the remote certification report being generated by an authentication server after verifying referral information generated by the cloud server for the trusted execution environment; the block chain all-in-one machine is enabled to acquire contract information to be verified of the under-chain contract, the contract information to be verified is signed by the cloud server in the trusted execution environment by adopting an identity private key of the cloud server, and the identity private key is maintained in the trusted execution environment by the cloud server;
And a verification unit 74, configured to enable the blockchain all-in-one machine to perform signature verification on the contract information to be verified by using an identity public key of the cloud server when the trusted execution environment is determined to be trusted according to the remote certification report, perform contract information verification on the contract information to be verified according to the contract information of the under-link contract, and determine that the under-link contract is trusted when both the signature verification and the contract information verification are passed.
Optionally, the data to be processed is stored in other blockchain networks different from the blockchain network in which the blockchain integrated machine is located, the related information includes address information of the data to be processed, and the data to be processed is obtained by performing cross-chain access to the other blockchain networks by the cloud server according to the address information.
Optionally, the data to be processed includes a second identity public key of the blockchain integrated machine, and the related information includes second description information of the blockchain integrated machine; the apparatus further comprises:
a certificate acquisition unit 75, configured to enable the blockchain integrated machine to acquire a digital certificate corresponding to the blockchain integrated machine, the digital certificate being obtained by signing, by the cloud server, the second identity public key, the first description information and the second description information of the cloud server through the first identity private key of the cloud server;
The digital certificate of any blockchain all-in-one machine is verified by any blockchain link point in a target blockchain network by adopting a root certificate, and the digital certificate is taken as a precondition for judging that the any blockchain all-in-one machine joins the target blockchain network by the any blockchain node; the root certificate is obtained by signing a first identity public key of the cloud server and first description information of the cloud server through a first identity private key by the cloud server.
Optionally, the preconditions for the cloud server to generate the digital certificate include: and the cloud server verifies the second descriptive information.
Optionally, the preconditions for the cloud server to generate the digital certificate include: and the target blockchain network generates an application joining confirmation message aiming at the blockchain all-in-one machine based on the second description information sent by the cloud server.
Optionally, the second description information is used for verifying the digital certificate of the blockchain all-in-one machine.
Optionally, the request initiating unit 71 is specifically configured to: the blockchain all-in-one machine generates an event containing the ciphertext request by calling a propranker contract, and under the condition that the event is monitored by a propranker server, the ciphertext request contained in the event is acquired by the propranker server and is sent to the cloud server;
The result acquisition unit 72 specifically functions to: and acquiring an execution result of the predictor server returned to the predictor contract, wherein the execution result is returned to the predictor server by the cloud server.
Referring to fig. 8, in another software implementation, the blockchain data processing device based on cloud computing may include:
the request acquisition unit 81 enables the cloud server to acquire a ciphertext request initiated by the blockchain integrated machine, and decrypts the ciphertext request in a maintained trusted execution environment to obtain a plaintext request so as to read related information for data to be processed, wherein the related information is contained in the plaintext request;
and the execution unit 82 is used for enabling the cloud server to execute related operations for the data to be processed according to the related information and returning execution results corresponding to the related operations to the blockchain all-in-one machine.
Optionally, the cloud server is pre-deployed with an under-link contract, and the related information includes the data to be processed and a contract address of the under-link contract for processing the data to be processed; the execution unit 82 specifically is configured to:
the cloud server determines an under-link contract deployed on the cloud server according to the contract address, and reads the data to be processed and the under-link contract into the trusted execution environment;
The cloud server executes the under-chain contract through an execution engine deployed within the trusted execution environment to compute the data to be processed.
Optionally, the method further comprises:
an information providing unit 83 configured to cause the cloud server to provide the blockchain all-in-one machine with a remote proof report for the trusted execution environment, the remote proof report being generated by an authentication server verifying self-recommendation information generated by the cloud server for the trusted execution environment; the cloud server is enabled to provide contract information to be verified of the under-chain contracts for the blockchain all-in-one machine, the contract information to be verified is signed by the cloud server in the trusted execution environment by adopting an identity private key of the cloud server, and the identity private key is maintained in the trusted execution environment by the cloud server;
and the blockchain all-in-one machine performs signature verification on the contract information to be verified by adopting an identity public key of the cloud server under the condition that the trusted execution environment is determined to be trusted according to the remote proof report, performs contract information verification on the contract information to be verified according to the contract information of the contract under the chain, and determines that the contract under the chain is trusted under the condition that the signature verification and the contract information verification are both passed.
Optionally, the data to be processed is stored in other blockchain networks different from the blockchain network in which the blockchain integrated machine is located, and the related information includes address information of the data to be processed; the execution unit 82 specifically is configured to:
and the cloud server cross-chain accesses the data to be processed stored in the other blockchain networks according to the address information.
Optionally, the method further comprises: a certificate issuing unit 84 that causes the cloud server to sign a first identity public key of the cloud server and first description information of the cloud server by a first identity private key of the cloud server to generate a root certificate;
the data to be processed comprises a second identity public key of the blockchain integrated machine, and the related information comprises second description information of the blockchain integrated machine; the execution unit 82 specifically is configured to: the cloud server signs a second identity public key, first description information and second description information of the blockchain all-in-one machine through a first identity private key to generate a digital certificate corresponding to the blockchain all-in-one machine; the digital certificate of any blockchain all-in-one machine is verified by any blockchain node in a target blockchain network by adopting the root certificate, and the digital certificate is used as a precondition for judging that the any blockchain all-in-one machine joins the target blockchain network by the any blockchain node.
Optionally, the method further comprises:
and a verification unit 85 for enabling the cloud server to verify the second description information so as to generate the digital certificate when the verification passes.
Optionally, the method further comprises:
and a sending unit 86, configured to cause the cloud server to send second description information of the blockchain all-in-one machine to the target blockchain network, so as to generate the digital certificate when acquiring an application joining confirmation message for the blockchain all-in-one machine, where the application joining confirmation message is generated by the target blockchain network based on the second description information.
Optionally, the second description information is used for verifying the digital certificate of the blockchain all-in-one machine.
Optionally, the request acquiring unit 81 is specifically configured to: the cloud server receives a ciphertext request which is sent by a predictor server and obtained from an event monitored at a predictor contract, wherein the event is generated by the blockchain integrated machine through calling the predictor contract;
the execution unit 82 specifically is configured to: and the cloud server returns the execution result to the predictor server, and the execution result is transmitted to the predictor contract by the predictor server.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.

Claims (23)

1. The block chain data processing method based on cloud computing is applied to a block chain all-in-one machine, and software services integrated by the block chain all-in-one machine comprise a cloud service interface; the method comprises the following steps:
initiating a ciphertext request to a cloud server through the cloud service interface, wherein the ciphertext request is decrypted by the cloud server in a maintained trusted execution environment to obtain a plaintext request, the plaintext request contains relevant information aiming at data to be processed, the cloud server is a chain node relative to a blockchain network, and the blockchain network is constructed by participation of the blockchain all-in-one machine;
acquiring an execution result returned by the cloud server through the on-cloud service interface, wherein the execution result is obtained by the cloud server executing related operation on the data to be processed according to the related information; the cloud server is pre-deployed with an under-link contract, and the related information comprises the data to be processed and a contract address of the under-link contract for processing the data to be processed; and the execution result is obtained by the cloud server executing the under-chain contract corresponding to the contract address through an execution engine deployed in the trusted execution environment so as to calculate the data to be processed.
2. The method of claim 1, the blockchain all-in-one deployed hardware comprising an intelligent contract processing chip that deploys hardware trust root keys for negotiating keys that encrypt blockchain data to be deployed.
3. The method of claim 2, wherein the intelligent contract processing chip is deployed with a hardware trust root key of an issuer, the hardware trust root key is used for signing negotiation information sent by the intelligent contract processing chip to the issuer, when the negotiation information is successfully checked by the issuer based on a public key corresponding to the hardware trust root key, the intelligent contract processing chip and the issuer respectively negotiate to obtain the same key based on the negotiation information, and when the blockchain integrated machine is accessed to a blockchain network, the key is used by the intelligent contract processing chip for decrypting blockchain data to be deployed provided by the issuer.
4. The method of claim 1, the blockchain all-in-one deployed hardware comprising an intelligent network card to replace or assist a CPU of the blockchain all-in-one to perform blockchain data processing operations.
5. The method of claim 1, the blockchain all-in-one deployed hardware comprising a cryptographic acceleration card for performing at least one of key management, encryption and decryption, and signature verification.
6. The method of claim 1, the blockchain all-in-one integrated software service further comprising: built-in certificate authorization service for certificate issuing and node identity authentication; and/or a cross-chain service interface for cross-chain data interactions.
7. The method of claim 1, the data to be processed comprising a second identity public key of the blockchain all-in-one, the related information comprising second description information of the blockchain all-in-one; the method further comprises the steps of:
acquiring a digital certificate corresponding to the blockchain all-in-one machine, which is obtained by signing a second identity public key, first description information and second description information of the cloud server by the cloud server through a first identity private key of the cloud server through the service interface on the cloud;
the digital certificate of any blockchain all-in-one machine is verified by any blockchain link point in a target blockchain network by adopting a root certificate, and the digital certificate is taken as a precondition for judging that the any blockchain all-in-one machine joins the target blockchain network by the any blockchain node; the root certificate is obtained by signing a first identity public key of the cloud server and first description information of the cloud server through a first identity private key by the cloud server.
8. The method of claim 7, the cloud server generating the digital certificate preconditions comprising: and the target blockchain network generates an application joining confirmation message aiming at the blockchain all-in-one machine based on the second description information sent by the cloud server.
9. The method of claim 8, the second descriptive information is used to verify a digital certificate of the blockchain all-in-one.
10. The method of claim 7, the cloud server generating the digital certificate preconditions comprising: and the cloud server verifies the second descriptive information.
11. The method of claim 1, further comprising:
acquiring a remote attestation report for the trusted execution environment, wherein the remote attestation report is generated after an authentication server verifies self-recommendation information generated by the cloud server for the trusted execution environment;
acquiring contract information to be verified of the under-chain contract, wherein the contract information to be verified is signed by the cloud server in the trusted execution environment by adopting an identity private key of the cloud server, and the identity private key is maintained in the trusted execution environment by the cloud server;
And under the condition that the trusted execution environment is determined to be trusted according to the remote proof report, adopting an identity public key of the cloud server to carry out signature verification on the contract information to be verified, carrying out contract information verification on the contract information to be verified according to the contract information of the under-link contract, and judging that the under-link contract is trusted under the condition that the signature verification and the contract information verification are both passed.
12. The method of claim 1, wherein the data to be processed is stored in a different blockchain network than the blockchain network in which the blockchain all-in-one machine is located, the related information includes address information of the data to be processed, and the data to be processed is obtained by the cloud server performing cross-chain access to the other blockchain network according to the address information.
13. A block chain data processing method based on cloud computing is applied to a cloud server; the method comprises the following steps:
acquiring a ciphertext request initiated by a blockchain all-in-one machine, decrypting the ciphertext request in a maintained trusted execution environment to obtain a plaintext request, and reading related information for data to be processed, wherein the related information is contained in the plaintext request, the ciphertext request is initiated by the blockchain all-in-one machine through an on-cloud service interface contained in integrated software service, a cloud server is a link-down node relative to a blockchain network, and the blockchain network is constructed by the blockchain all-in-one machine;
Executing related operations on the data to be processed according to the related information, and acquiring an execution result corresponding to the related operations by the blockchain all-in-one machine through the cloud service interface;
the cloud server is pre-deployed with an under-link contract, and the related information comprises the data to be processed and a contract address of the under-link contract for processing the data to be processed; the performing the related operation on the data to be processed according to the related information includes:
the cloud server determines an under-link contract deployed on the cloud server according to the contract address, and reads the data to be processed and the under-link contract into the trusted execution environment;
the cloud server executes the under-chain contract through an execution engine deployed within the trusted execution environment to compute the data to be processed.
14. The method according to claim 13,
further comprises: signing the first identity public key of the cloud server and the first description information of the cloud server through the first identity private key of the cloud server to generate a root certificate;
the data to be processed comprises a second identity public key of the blockchain integrated machine, and the related information comprises second description information of the blockchain integrated machine; the cloud server executes related operations for the data to be processed according to the related information, including: the cloud server signs a second identity public key, first description information and second description information of the blockchain all-in-one machine through a first identity private key to generate a digital certificate corresponding to the blockchain all-in-one machine; the digital certificate of any blockchain all-in-one machine is verified by any blockchain node in a target blockchain network by adopting the root certificate, and the digital certificate is used as a precondition for judging that the any blockchain all-in-one machine joins the target blockchain network by the any blockchain node.
15. The method of claim 14, further comprising:
and verifying the second descriptive information to generate the digital certificate if verification passes.
16. The method of claim 14, further comprising:
and sending second description information of the blockchain all-in-one machine to the target blockchain network to generate the digital certificate under the condition that the request for the blockchain all-in-one machine generated by the target blockchain network based on the second description information is acquired.
17. The method of claim 16, the second descriptive information is used to verify a digital certificate of the blockchain all-in-one.
18. The method of claim 13, further comprising:
providing a remote attestation report for the trusted execution environment to the blockchain all-in-one machine, wherein the remote attestation report is generated after an authentication server verifies self-recommendation information generated by the cloud server for the trusted execution environment;
providing contract information to be verified of the under-chain contract for the blockchain all-in-one machine, wherein the contract information to be verified is signed by the cloud server in the trusted execution environment by adopting an identity private key of the cloud server, and the identity private key is maintained in the trusted execution environment by the cloud server;
And the blockchain all-in-one machine performs signature verification on the contract information to be verified by adopting an identity public key of the cloud server under the condition that the trusted execution environment is determined to be trusted according to the remote proof report, performs contract information verification on the contract information to be verified according to the contract information of the contract under the chain, and determines that the contract under the chain is trusted under the condition that the signature verification and the contract information verification are both passed.
19. The method of claim 13, the data to be processed being stored in a different blockchain network than the blockchain network in which the blockchain all-in-one machine is located, the related information including address information of the data to be processed; the performing the related operation on the data to be processed according to the related information includes:
and accessing the data to be processed stored in the other blockchain networks in a cross-chain manner according to the address information.
20. The block chain data processing device based on cloud computing is applied to a block chain all-in-one machine, and software services integrated by the block chain all-in-one machine comprise a cloud service interface; the device comprises:
the request initiating unit initiates a ciphertext request to a cloud server through the cloud service interface, the ciphertext request is decrypted by the cloud server in a maintained trusted execution environment to obtain a plaintext request, the plaintext request contains relevant information aiming at data to be processed, the cloud server is a link-down node relative to a blockchain network, and the blockchain network is constructed by the blockchain all-in-one machine;
The result acquisition unit acquires an execution result returned by the cloud server through the on-cloud service interface, wherein the execution result is obtained by the cloud server executing related operation on the data to be processed according to the related information; the cloud server is pre-deployed with an under-link contract, and the related information comprises the data to be processed and a contract address of the under-link contract for processing the data to be processed; and the execution result is obtained by the cloud server executing the under-chain contract corresponding to the contract address through an execution engine deployed in the trusted execution environment so as to calculate the data to be processed.
21. The block chain data processing device based on cloud computing is applied to a cloud server; the device comprises:
the method comprises the steps that a request acquisition unit acquires a ciphertext request initiated by a blockchain all-in-one machine, decrypts the ciphertext request in a maintained trusted execution environment to obtain a plaintext request, and reads relevant information for data to be processed contained in the plaintext request, wherein the ciphertext request is initiated by the blockchain all-in-one machine through a cloud service interface contained in integrated software service, a cloud server is a sub-chain node relative to a blockchain network, and the blockchain network is constructed by the blockchain all-in-one machine;
The execution unit executes related operations on the data to be processed according to the related information, and the blockchain all-in-one machine obtains an execution result corresponding to the related operations through the cloud service interface;
the cloud server is pre-deployed with an under-link contract, and the related information comprises the data to be processed and a contract address of the under-link contract for processing the data to be processed; the execution unit is specifically configured to:
determining an under-link contract deployed on the cloud server according to the contract address, and reading the data to be processed and the under-link contract into the trusted execution environment;
the under-chain contract is executed by an execution engine deployed within the trusted execution environment to calculate the pending data.
22. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of any one of claims 1-19 by executing the executable instructions.
23. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method of any of claims 1-19.
CN202110690822.7A 2020-07-08 2020-07-08 Block chain data processing method and device based on cloud computing Active CN113438289B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110690822.7A CN113438289B (en) 2020-07-08 2020-07-08 Block chain data processing method and device based on cloud computing

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010652961.6A CN111541785B (en) 2020-07-08 2020-07-08 Block chain data processing method and device based on cloud computing
CN202110690822.7A CN113438289B (en) 2020-07-08 2020-07-08 Block chain data processing method and device based on cloud computing

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN202010652961.6A Division CN111541785B (en) 2020-07-08 2020-07-08 Block chain data processing method and device based on cloud computing

Publications (2)

Publication Number Publication Date
CN113438289A CN113438289A (en) 2021-09-24
CN113438289B true CN113438289B (en) 2023-05-12

Family

ID=71976486

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202010652961.6A Active CN111541785B (en) 2020-07-08 2020-07-08 Block chain data processing method and device based on cloud computing
CN202110690822.7A Active CN113438289B (en) 2020-07-08 2020-07-08 Block chain data processing method and device based on cloud computing

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202010652961.6A Active CN111541785B (en) 2020-07-08 2020-07-08 Block chain data processing method and device based on cloud computing

Country Status (3)

Country Link
US (1) US11516011B2 (en)
EP (1) EP3937424B1 (en)
CN (2) CN111541785B (en)

Families Citing this family (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113726875B (en) 2020-07-08 2024-06-21 支付宝(杭州)信息技术有限公司 Transaction processing method and device based on blockchain all-in-one machine
CN111538996B (en) * 2020-07-08 2021-06-29 支付宝(杭州)信息技术有限公司 Trusted starting method and device of block chain all-in-one machine
CN111539829B (en) 2020-07-08 2020-12-29 支付宝(杭州)信息技术有限公司 To-be-filtered transaction identification method and device based on block chain all-in-one machine
CN111541789A (en) * 2020-07-08 2020-08-14 支付宝(杭州)信息技术有限公司 Data synchronization method and device based on block chain all-in-one machine
CN111541726B (en) 2020-07-08 2021-05-18 支付宝(杭州)信息技术有限公司 Replay transaction identification method and device based on block chain all-in-one machine
CN112492002B (en) 2020-07-08 2023-01-20 支付宝(杭州)信息技术有限公司 Transaction forwarding method and device based on block chain all-in-one machine
US11962584B2 (en) * 2020-07-27 2024-04-16 Twistlock, Ltd. Providing zero trust network security without modification of network infrastructure
CN112148379B (en) * 2020-08-28 2023-07-07 迅鳐成都科技有限公司 User contract unloading method, device and system of alliance chain and storage medium
CN111769958B (en) * 2020-09-02 2021-01-01 百度在线网络技术(北京)有限公司 Block chain cross-chain processing method, device, equipment and storage medium
CN112034806B (en) * 2020-09-11 2022-08-30 上海庆科信息技术有限公司 Module burning authorization tracking system, module burning method and device
CN112416396B (en) * 2020-11-20 2023-11-03 泰康保险集团股份有限公司 Application program updating method and system
CN113407944B (en) * 2021-06-03 2023-09-26 广东辰宜信息科技有限公司 Trusted configuration method and device of intelligent contract, computer equipment and storage medium
CN113688394B (en) * 2021-06-07 2023-08-25 重庆大学 Block chain-based outsourcing computing system and method in safe and trusted execution environment
CN113420287B (en) * 2021-06-21 2022-07-26 上海交通大学 Method for resisting side channel attack based on high-speed cache
CN113536372B (en) * 2021-07-07 2023-06-13 国网上海市电力公司 Data processing method and device and electronic equipment
CN113609492B (en) * 2021-08-05 2023-10-31 上海交通大学 Defending method and system for TEE encryption database interface attack
CN113691508B (en) * 2021-08-06 2023-04-18 上海浦东发展银行股份有限公司 Data transmission method, system, device, computer equipment and storage medium
CN114024744B (en) * 2021-11-04 2024-07-23 浙江蚨骜软件开发有限公司 Information protection method based on cloud computing and blockchain service and artificial intelligent platform
CN114358764A (en) * 2021-11-15 2022-04-15 深圳众联数字科技有限公司 Privacy calculation method based on intelligent contracts in block chain and related equipment
CN113837760B (en) * 2021-11-25 2022-08-26 腾讯科技(深圳)有限公司 Data processing method, data processing device, computer equipment and storage medium
CN114282237B (en) * 2021-12-21 2023-01-17 北京百度网讯科技有限公司 Communication method, device, equipment and storage medium
CN114362958B (en) * 2021-12-28 2023-12-01 湖北工业大学 Intelligent home data security storage auditing method and system based on blockchain
CN114567669B (en) * 2022-03-09 2023-08-04 福州大学 Trusted SOA system based on blockchain
CN114338054B (en) * 2022-03-17 2022-06-07 北京笔新互联网科技有限公司 Block chain trusted data transmission, verification and acquisition method and device
CN114726878B (en) * 2022-03-28 2024-02-23 广州广电运通金融电子股份有限公司 Cloud storage system, equipment and method
CN114866249B (en) * 2022-04-19 2024-02-20 立芯科技股份有限公司 Block chain-based lead sealing lock system with multiple groups of electronic tags and interaction method
CN114978626B (en) * 2022-05-10 2023-03-10 北京百度网讯科技有限公司 Trusted computing method, device, equipment and medium based on block chain
WO2023230248A1 (en) * 2022-05-27 2023-11-30 Toposware, Inc. Decentralized interoperable cross subnet architecture
CN115001801B (en) * 2022-05-30 2023-05-30 北京沸铜科技有限公司 Digital content heterogeneous chain cross-chain authorization method based on blockchain
CN114900320B (en) * 2022-06-21 2024-04-26 杭州安恒信息安全技术有限公司 TEE node authentication method, device, equipment and medium
CN114979171B (en) * 2022-08-01 2022-11-01 北京微芯区块链与边缘计算研究院 Government affair data sharing control method based on block chain intelligent contract
CN115297125A (en) * 2022-08-04 2022-11-04 树根格致科技(湖南)有限公司 Business data processing method and device, computer equipment and readable storage medium
CN115982208B (en) * 2022-08-24 2023-09-29 淮阴工学院 Cold chain product relevance query method and device based on block chain cross-chain collaboration
CN115459459B (en) * 2022-11-10 2023-03-24 北京笔新互联网科技有限公司 Electric power information processing system based on block chain
CN115567324B (en) * 2022-11-24 2023-09-15 湖南天河国云科技有限公司 Data encryption transmission method, system, computer equipment and storage medium
CN116029825B (en) * 2022-12-29 2024-02-02 胖迪科技(深圳)有限公司 Block chain transaction method, device and system, electronic equipment and storage medium
CN116055308B (en) * 2023-02-10 2024-01-05 青岛闪收付信息技术有限公司 Bottom layer blockchain network deployment method and device of supply chain financial platform
CN115840683B (en) * 2023-02-24 2023-05-16 浪潮电子信息产业股份有限公司 Heterogeneous alliance chain monitoring method, system, device, equipment and storage medium
WO2024183439A1 (en) * 2023-03-09 2024-09-12 华为云计算技术有限公司 Data processing method and apparatus, and computation device
CN116032494B (en) * 2023-03-24 2023-06-09 深圳开鸿数字产业发展有限公司 Data interaction method, blockchain predictor, device and medium
CN117955742B (en) * 2024-03-26 2024-06-14 杭州高新区(滨江)区块链与数据安全研究院 Verification method and device for data cross-link interaction, challenge node and storage medium
CN117997654B (en) * 2024-04-03 2024-06-07 湖南天河国云科技有限公司 Data processing method, device and computer equipment in edge computing architecture
CN118152077B (en) * 2024-05-10 2024-07-16 上海特高信息技术有限公司 Heterogeneous intelligent contract virtual machine fusion intercommunication realization method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110520884A (en) * 2018-12-13 2019-11-29 阿里巴巴集团控股有限公司 Intelligent bond service outside chain based on credible performing environment
CN111090888A (en) * 2020-03-18 2020-05-01 支付宝(杭州)信息技术有限公司 Contract verification method and device
CN111090874A (en) * 2020-03-18 2020-05-01 支付宝(杭州)信息技术有限公司 Contract calling method and device
CN111090875A (en) * 2020-03-18 2020-05-01 支付宝(杭州)信息技术有限公司 Contract deployment method and device

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6704871B1 (en) * 1997-09-16 2004-03-09 Safenet, Inc. Cryptographic co-processor
CN107862600A (en) * 2017-10-24 2018-03-30 深圳四方精创资讯股份有限公司 Bank transfer method and its system based on block chain
CN108305072B (en) * 2018-01-04 2021-02-26 上海点融信息科技有限责任公司 Method, apparatus, and computer storage medium for deploying a blockchain network
CN108648079A (en) * 2018-05-02 2018-10-12 北京阿尔山金融科技有限公司 Block chain node monitoring method, apparatus and system
CN108769258B (en) * 2018-06-29 2021-05-07 上海点融信息科技有限责任公司 Method and apparatus for hosting blockchain network to blockchain application platform
CN108900380B (en) * 2018-07-14 2020-07-10 上海分布信息科技有限公司 Node management method and implementation system thereof
US11223485B2 (en) * 2018-07-17 2022-01-11 Huawei Technologies Co., Ltd. Verifiable encryption based on trusted execution environment
US20200058019A1 (en) * 2018-08-16 2020-02-20 Free Stream Media Corporation d/b/a Samba TV Viewer data access management
US20200118131A1 (en) * 2018-10-11 2020-04-16 International Business Machines Corporation Database transaction compliance
CN109474584B (en) * 2018-10-29 2021-12-07 中化能源科技有限公司 Rule-based block chain network automatic permission joining method
US11860822B2 (en) * 2018-11-19 2024-01-02 Luther Systems Us Incorporated Immutable ledger with efficient and secure data destruction, system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110520884A (en) * 2018-12-13 2019-11-29 阿里巴巴集团控股有限公司 Intelligent bond service outside chain based on credible performing environment
CN111090888A (en) * 2020-03-18 2020-05-01 支付宝(杭州)信息技术有限公司 Contract verification method and device
CN111090874A (en) * 2020-03-18 2020-05-01 支付宝(杭州)信息技术有限公司 Contract calling method and device
CN111090875A (en) * 2020-03-18 2020-05-01 支付宝(杭州)信息技术有限公司 Contract deployment method and device

Also Published As

Publication number Publication date
CN113438289A (en) 2021-09-24
CN111541785B (en) 2021-05-04
US20210328791A1 (en) 2021-10-21
EP3937424A1 (en) 2022-01-12
US11516011B2 (en) 2022-11-29
CN111541785A (en) 2020-08-14
EP3937424B1 (en) 2024-02-07

Similar Documents

Publication Publication Date Title
CN113438289B (en) Block chain data processing method and device based on cloud computing
CN111090888B (en) Contract verification method and device
CN111092726B (en) Method and device for generating shared contract key
CN111092727B (en) Method and device for sharing cluster key
CN111092914B (en) Method and device for accessing external data
CN112329041B (en) Method and device for deploying contracts
CN110580418B (en) Private data query method and device based on block chain account
CN112199701B (en) Method and device for calling contract
CN110580414B (en) Private data query method and device based on block chain account
CN110580413B (en) Private data query method and device based on down-link authorization
CN111541727B (en) Block chain all-in-one machine and automatic chain building method and device thereof
CN110580262B (en) Private data query method and device based on intelligent contract
CN110580412B (en) Permission query configuration method and device based on chain codes
CN111047450A (en) Method and device for calculating down-link privacy of on-link data
CN111541552B (en) Block chain all-in-one machine and automatic node adding method and device thereof
CN111541724B (en) Block chain all-in-one machine and automatic node adding method and device thereof
CN110580245B (en) Private data sharing method and device
CN110580411B (en) Permission query configuration method and device based on intelligent contract
KR102691220B1 (en) Secure and reliable bridge for asset transfer between networks with different architectures
CN114866409B (en) Password acceleration method and device based on password acceleration hardware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant